From e4fb068c12bd8c514691ef0d84fdc331f7b864f1 Mon Sep 17 00:00:00 2001 From: Nicolas Florentin Date: Wed, 27 Jul 2022 10:28:58 +0200 Subject: [PATCH] fix xss vulnerability in projects --- app/views/api/projects/show.json.jbuilder | 5 +++-- config/application.rb | 2 ++ 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/app/views/api/projects/show.json.jbuilder b/app/views/api/projects/show.json.jbuilder index 5f79f3e98..5eff4564e 100644 --- a/app/views/api/projects/show.json.jbuilder +++ b/app/views/api/projects/show.json.jbuilder @@ -1,6 +1,7 @@ # frozen_string_literal: true -json.extract! @project, :id, :name, :description, :tags, :created_at, :updated_at, :licence_id, :slug +json.extract! @project, :id, :name, :tags, :created_at, :updated_at, :licence_id, :slug +json.description sanitize(@project.description) json.author_id @project.author.user_id json.project_image @project.project_image.attachment.large.url if @project.project_image json.project_full_image @project.project_image.attachment.url if @project.project_image @@ -56,7 +57,7 @@ json.project_users @project.project_users do |pu| end json.project_steps_attributes @project.project_steps.order('project_steps.step_nb ASC') do |s| json.id s.id - json.description s.description + json.description sanitize(s.description) json.title s.title json.project_step_images_attributes s.project_step_images.order('created_at ASC') do |si| json.id si.id diff --git a/config/application.rb b/config/application.rb index 2188891f5..1ae8adb38 100644 --- a/config/application.rb +++ b/config/application.rb @@ -74,6 +74,8 @@ module Fablab FabManager.activate_plugins! + config.action_view.sanitized_allowed_tags = %w(a acronym hr pre table b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p image iframe) + config.after_initialize do plugins = FabManager.plugins plugins&.each(&:notify_after_initialize)